Build the token-request body for refreshing an access token. When
clientSecretForPost is non-empty it is appended (for client_secret_post
upstream authentication); leave it empty for public/PKCE clients or when the
secret is carried via the HTTP Basic Authorization header instead.
Build the token-request body for refreshing an access token. When clientSecretForPost is non-empty it is appended (for client_secret_post upstream authentication); leave it empty for public/PKCE clients or when the secret is carried via the HTTP Basic Authorization header instead.